Re: Source Port 0 Host Sweep

[JM <ubahmapk () gmail com>]

I had seen applications request port 0 when they really wanted the
next available port, but judging by where our IPS sits (on the edge of
the network) I don't think this is the case.

I have about 4 or 5 different internal IPs that are behaving this way.
 I'll have to look and see if they are scanning the same external IPs
(I'm obviously not able to access the console right now)  That would
be an interesting twist if they were.

I sent this information to our McAfee support and they had never seen
anything like this, either.  They were going to "escalate" my ticket. 
I'm not sure if it's encouraging to know I'm not stupid or saddening
that they don't know either :-)  At least my ignorance seems to be
well founded, eh?

If they come back with anything interesting, I will post back.

Thanks for the suggestions.  I suppose I could put a sniffer on the
PCs to see what I get from that, but it seems to be rather random
behaviour and I'm not sure how big my sniffer's buffer is.  I'll give
it a shot though if it comes to that.

On Sat, 8 Jan 2005 13:07:58 -0800, GuidoZ <uberguidoz () gmail com> wrote:
> Hello JM.
>
> I'm not sure if this applies in your case, however I've seen ACK
> sweeps before that originated from what was reported as port 0,
> although it was really just a dynamically assigned port (1024+). I'm
> not familiar with your IPS, so I can't say how it gathers data.
>
> As you likely know, many applications don't care what port they are
> provided for a network connection, so they "ask" the OS to assign the
> "next available port". In point of fact, they ask for port 0, but are
> assigned one starting with port 1024. It's possible that the IPS is
> picking up this "next available port"... though it seems unlikely.
> It's about all that popped into my head.
>
> The only other thing I can think of is what port 0 is normally used
> for - to help determine the operating system. However, when used in
> this way, the destination IP address will be 0.0.0.0 and the ACK bit
> will be set. Are the scans determined to be coming from different IP#s
> for sure? It might be a wise idea to do some packet sniffing to see
> what data is being sent, if any, besides the ACK.
>
> Best of luck.
>
> --
> Peace. ~G
>
>
> On Fri, 7 Jan 2005 10:32:41 -0600, JM <ubahmapk () gmail com> wrote:
> > I am receiving some alerts on our IntruShield IPS of a few internal
> > hosts "TCP: ACK Host Sweep"ing the network.  All sweeps have dest port
> > 80 (and more interestingly) source port 0.
> >
> > I'm familiar with Host Sweeps and port 80 and know that port 0 is a
> > valid port, but I've never seen anything actually _use_ it.
> >
> > I have googled and searched all the archives I could find and haven't
> > seen anything describing this behaviour.
> >
> > I want to send our HW techs to the machines (all windows PCs) and have
> > them cleaned, but I can't even tell them what to look for.
> >
> > Does anyone know of any app/malware/virus that causes this sort of Host Sweep?
> >
> > JM